#######################################################################
Luigi Auriemma
Application: Enemy Territory: Quake Wars
http://www.enemyterritory.com
http://www.idsoftware.com/games/enemyterritory/etqw/
Versions: <= 1.5.12642.33243
Platforms: Windows (tested), Linux, Mac OS X, PlayStation 3, Xbox 360
Bug: invalid URL buffer-overflow
Exploitation: remote, versus clients (from malicious server)
Date: 18 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Enemy Territory: Quake Wars (ETQW) is a well known and appreciated FPS
based on the idTech4 engine and developed by Splash Damage and
id Software.
#######################################################################
======
2) Bug
======
There is a function in the game which is used for dispalying particular
error messages in the console
("********************\nERROR: %s\n********************") and it's
affected by a buffer overflow vulnerability.
One of the ways I have found for exploiting it is through a malicious
server that forces the client to download some missing or different
files through the pureServer command followed by a downloadInfo one
containing an URL with the following attributes:
- it must be an invalid http:// URL because it's necessary for reaching
the bugged function called when ShellExecuteEx (used for launching
the URL) fails
- must be max 1024 bytes long, it gets truncated automatically
- must be enough disguised because it's required the OK of the user for
exploiting it
For the first and last point I have opted for the backspace char before
the URL and a big sequence of line-feed chars after it so that it looks
normal because the shellcode is displayed out of the screen.
As already said it's necessary that the user accepts the download for
exploiting the vulnerability:
You are missing required pak files to connect to this server.
The server gave a web page though:
http://SERVER/valid_file.pk4
YES NO
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/etqwcbof.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################